NSW Reconstruction Authority Public Notification Register

Date of eligible data breach
Between 12 and 15 March 2025.

Type and description of the breach
An eligible data breach where some personal information provided by people during the RHP applications process was uploaded by a former temporary employee of the NSW Reconstruction Authority (RA) to the AI platform, ChatGPT.

The data shared was contained in a Microsoft Excel spreadsheet with 10 columns and more than 12,000 rows of information.

How the breach occurred
The breach occurred when a former temporary staff member of RA uploaded data containing personal information to an unsecured Artificial Intelligence (AI) tool which was not authorised by RA.

Other affected agencies (if applicable)
N/A

Personal information subject to the breach
The information disclosed includes general case information as well as:
•    Name and contact details
•    Residential/mailing address
•    Date of birth
•    Sensitive personal information
•    Limited financial commentary, but not banking or financial details

Time the information was available as a consequence of disclosure, access, or loss
Ongoing.

Risk mitigation activities and or planned action to control harm
RA is working with Cyber Security NSW to monitor the internet and dark web to see if any of this information is accessible online. The NSW Privacy Commissioner has also been notified.

RA has reviewed and strengthened internal systems and processes and issued clear guidance to staff on the use of non-sanctioned AI platforms. Safeguards are now in place to prevent future uploads of personal information into ChatGPT and other AI platforms.

Recommended action(s) for affected individuals
• If anyone impacted wants to discuss the exact types of their personal information that was involved in the data breach they can contact RA on 1800 844 085. Staff are available Monday to Friday from 9am to 5pm, excluding public holidays.

• We encourage anyone impacted to regularly check credit card and bank statements for unusual transactions. Anyone impacted can ask for a temporary ban on cards or accounts if they detect unusual activity and suspect fraud. Anyone impacted can cancel or suspend the card and request a new card if there are unauthorised transactions or transfers.

• We are also encouraging everyone to remain vigilant of scammers and to remain alert, especially with email, text messages or telephone calls and to use two-step authentication for personal email accounts and other online accounts.

• We are asking people not to share personal information over the phone unless they are certain about who they are sharing it with. And if they notice suspicious access to email accounts and other online accounts, they should reset passwords for their accounts. 

Further information can be found on the Resilient Homes Program data breach page.  

Date Notification published
26 March 2026